Failure to mount /sys in nested ‘guix shell’ container

Open

Details

2 participants

Josselin Poiret
Ludovic Courtès

Owner: unassigned

Submitted by: Ludovic Courtès

Severity: normal

Ludovic Courtès wrote on 21 Feb 2023 23:45

Failure to mount /sys in nested ‘guix shell ’ container

Recipients:(address . bug-guix@gnu.org)

Message-ID:87v8jud4e7.fsf@inria.fr

Hi!

As reported by Konrad¹, nested ‘guix shell -C’ fails:

Toggle snippet (7 lines)

$ guix shell -CN guix \

--expose=/var/guix/daemon-socket/socket \

--expose=/gnu/store \

-- guix shell -C coreutils -- ls /

guix shell: error: mount: mount "none" on "/tmp/guix-directory.xO3FIx/sys": Operation not permitted

Strace shows this:

Toggle snippet (13 lines)17541 clone(child_stack=NULL, flags=CLONE_NEWNS|CLONE_NEWCGROUP|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD) = 7
[…]
mount("none", "/tmp/guix-directory.d6rKy1", "tmpfs", 0, NULL) = 0
mkdir("/tmp", 0777)               = -1 EEXIST (File exists)
mkdir("/tmp/guix-directory.d6rKy1", 0777) = -1 EEXIST (File exists)
mkdir("/tmp/guix-directory.d6rKy1/proc", 0777) = 0
mount("none", "/tmp/guix-directory.d6rKy1/proc", "proc", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL) = 0
mkdir("/tmp", 0777)               = -1 EEXIST (File exists)
mkdir("/tmp/guix-directory.d6rKy1", 0777) = -1 EEXIST (File exists)
mkdir("/tmp/guix-directory.d6rKy1/sys", 0777) = 0
mount("none", "/tmp/guix-directory.d6rKy1/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL) = -1 EPERM (Operation not permitted)

It does work if the nested ‘guix shell’ uses ‘-CN’ instead of ‘-C’,

thanks to this bit in (gnu build linux-container)

(mount-file-systems root mounts

#:mount-/proc? (memq 'pid namespaces)

#:mount-/sys? (memq 'net

namespaces)) ;<---

The reason for this bug seems to be given here:

https://github.com/nestybox/sysbox/issues/67#issuecomment-726285026

It’s not clear whether there’s anything we can do, other than

recommending ‘-CN’ as well in the nested container.

Thoughts?

Ludo’.

¹ https://lists.gnu.org/archive/html/guix-devel/2023-02/msg00027.html

Josselin Poiret wrote on 2 Mar 2023 10:54

Re: bug#61690: Failure to mount /sys in nested ‘gui x shell’ container

Recipients:(name . Konrad Hinsen)(address . konrad.hinsen@cnrs.fr)

Message-ID:878rgflbqb.fsf@jpoiret.xyz

Hi Ludo,

Ludovic Courtès <ludovic.courtes@inria.fr> writes:

Toggle quote (7 lines)

> The reason for this bug seems to be given here:

> https://github.com/nestybox/sysbox/issues/67#issuecomment-726285026

> It’s not clear whether there’s anything we can do, other than

> recommending ‘-CN’ as well in the nested container.

Couldn't we always create a new network namespace, but when -N is passed
it also has a veth interface?  The one problem I can think of is that
we'd need to either create one veth per interface in the parent
namespace or let the user specify which interface should be shared.

Best,
-- 
Josselin Poiret

Ludovic Courtès wrote on 2 Mar 2023 18:11

Recipients:(name . Josselin Poiret)(address . dev@jpoiret.xyz)

Message-ID:87wn3z3wp7.fsf@inria.fr

Hi Josselin,

Josselin Poiret <dev@jpoiret.xyz> skribis:

Toggle quote (14 lines)> Ludovic Courtès <ludovic.courtes@inria.fr> writes:
>
>> The reason for this bug seems to be given here:
>>
>>   https://github.com/nestybox/sysbox/issues/67#issuecomment-726285026
>>
>> It’s not clear whether there’s anything we can do, other than
>> recommending ‘-CN’ as well in the nested container.
>
> Couldn't we always create a new network namespace, but when -N is passed
> it also has a veth interface?  The one problem I can think of is that
> we'd need to either create one veth per interface in the parent
> namespace or let the user specify which interface should be shared.

Maybe we could, but I must confess I’m totally clueless on this veth

thing. :-)

What would this entail? Hopefully guile-netlink can help?

Thanks,

Ludo’.

Josselin Poiret wrote on 2 Mar 2023 18:32

Recipients:(name . Ludovic Courtès)(address . ludovic.courtes@inria.fr)

Message-ID:875ybjrrco.fsf@jpoiret.xyz

Hi Ludo,

Ludovic Courtès <ludovic.courtes@inria.fr> writes:

Toggle quote (5 lines)

> Maybe we could, but I must confess I’m totally clueless on this veth

> thing. :-)

> What would this entail? Hopefully guile-netlink can help?

So, a veth (Virtual Ethernet) device is basically a pipe but for network
devices: they're created in pairs, and any packet going through one end
is instantly received on the other end.  You can then transmit packets
between network namespaces.

One problem that totally slipped by me is that you need to be root to
create a veth device in the original namespace... Rootless containers
use slirp4netns, which is basically a userspace TCP/IP stack
communicating with a special network device in the new namespace (over
which you have complete rights). The situation might thus be a bit more
complicated, since we'd need another library/program as a dependency to
achieve this. I guess there's no best solution for now then :/

Best,
-- 
Josselin Poiret

Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 61690@debbugs.gnu.org

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date